-
Notifications
You must be signed in to change notification settings - Fork 0
Potential fix for code scanning alert no. 28: Unsafe shell command constructed from library input #75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Potential fix for code scanning alert no. 28: Unsafe shell command constructed from library input #75
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -36,7 +36,7 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| try { | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| // Clone with no checkout | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| await execAsync(`git clone --no-checkout --progress ${repoURL} ${targetDir}`, { | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| await execFileAsync("git", ["clone", "--no-checkout", "--progress", repoURL, targetDir], { | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Check failureCode scanning / CodeQL Second order command injection High
Command line argument that depends on
library input Error loading related location Loading Command line argument that depends on library input Error loading related location Loading
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot AutofixAI 29 days ago In general, to fix this kind of issue you must ensure that any value that can affect git’s interpretation of command-line arguments (repository URL, extra options) is validated or constrained before being passed to In this codebase the best targeted fix is:
This approach:
No changes are required in
Suggested changeset
1
packages/sdk/src/client/common/templates/git.ts
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| maxBuffer: 10 * 1024 * 1024, | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| }); | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Check failure
Code scanning / CodeQL
Second order command injection High
Copilot Autofix
AI 29 days ago
In general, to fix second‑order git command injection you must ensure any user‑controlled values that become git repository URLs or clone destinations cannot be interpreted as git options. At a minimum, reject inputs that start with
-, and ideally constrain them to known‑good schemes (e.g.https://,git@,ssh://,file://, or local paths). This validation must happen before passing values intoexecFile("git", [...])(or equivalent), and must be applied consistently to all code paths that can receive tainted inputs.For this codebase, the best targeted fix is:
Strengthen
validateRepoURLinpackages/sdk/src/client/common/templates/git.tsso it:-.Ensure this validation also covers other git operations performed in this file (e.g. subdirectory/template fetch helpers, which are in the omitted
[...]), by reusingvalidateRepoURL/validateTargetDiranywhere a potentially tainted repo URL or directory is passed toexecFileAsync("git", ...). Since you’ve provided only thefetchTemplatesnippet, we will confine edits to strengthening the validators there, which addresses the flagged sink at line 76 and any other code in this file that already calls these validators.Concretely, in
packages/sdk/src/client/common/templates/git.tswe will modifyvalidateRepoURLto add:URLconstructor when the string contains://, and a check to allow onlyhttp:,https:,ssh:, orgit:schemes.No other files (
create.ts,index.ts) require code changes to address this specific injection risk; they will continue to passcfg.repoURLdown as before, but that value will now be validated infetchTemplate.